The group, based in government premises in Beiruit, apparently compromises governments and individuals on a contract basis

Security researchers working with civil liberties organisation the Electronic Frontier Foundation (EFF) say they have uncovered an espionage-for-hire ring operating out of government premises in Lebanon that has used Android mobile malware to compromise thousands of individuals and organisations since 2012.

The group’s existence is the result of technological advances that have put high-powered offensive cyber capabilities into the hands of countries that didn’t previously have them, said US-based computer security firm Lookout in a new report.

The company stopped short of saying the hacking group – which it calls Dark Caracal, after a type of nocturnal wild cat native to the Middle East – is backed by the Lebanese government.

But Lookout observed that it appears to be administered from the headquarters of Lebanon’s intelligence agency, the General Directorate of General Security (GDGS), in Beirut.

Dark Caracal represents a new type of security threat, one wielding nation-state-level hacking capabilities but apparently operating on behalf of other governments and organisations on a contract basis, Lookout said.

Espionage for hire

The firm reached that conclusion by observing the broad range of Dark Caracal’s targets, which include organisations typically of interest to governments, but not a single nation state.

Those targets include militaries, enterprises, medical professionals, lawyers, journalists, educational institutions and activists as well as utilities, financial institutions, manufacturing companies, and defense contractors across more than 21 countries in North America, Europe, the Middle East and Asia.

Dark Caracal is the first espionage ring seen to be operating on a worldwide scale, rather than limiting itself to the opponents of any one country, and has the added distinction of primarily attacking individuals’ mobile devices, with a custom-built mobile attack tool Lookout calls Pallas.

“We believe the actors would use Pallas against any target a nation state would otherwise attack,” Lookout stated.

Pallas is found in compromised versions of messaging apps such as WhatsApp and Signal, although Google said none of the infected versions were found on its official Google Play repository.

Google said it now protects devices from the malware in question and is in the process of removing it from users’ devices.

The hackers use desktop malware as well, including a “lawful intercept” tool called FinFisher, a Windows attack tool called Bandook RAT and a previously unknown, multi-platform tool called CrossRAT that operates on Windows, macOS and Linux.

Operation Manul

The EFF initially came into contact with the hackers when it investigated spying operations that targeted dissidents who had spoken out against Kazakhstan’s president Nazarbayev, a campaign the EFF called Operation Manul.

The EFF teamed up with Lookout to investigate further, and the two found that the infrastructure used by Operation Manul was being used on a global scale for other, unrelated activities.

“The team concluded that the same infrastructure is likely shared by multiple actors and is being used in a new set of campaigns,” Lookout and the EFF said in the report. “This suggests that Dark Caracal either uses or manages the infrastructure found to be hosting a number of widespread, global cyber-espionage campaigns.”

Lookout said Dark Caracal is one of the most prolific hacking groups it has seen to date, but the activities it has observed are likely to be only a few of the group’s operations.

“We have reason to believe the activity Lookout and EFF have directly observed represents only a small fraction of the cyber-espionage that has been conducted using this infrastructure,” the report said.